Handle 403 Forbidden errors better

pull/2/head
Noah 2014-07-01 00:45:13 +00:00
コミット 969a758a8d
2個のファイルの変更28行の追加6行の削除

ファイルの表示

@ -56,12 +56,6 @@ Emoticons.load_theme()
def before_request():
"""Called before all requests. Initialize global template variables."""
# CSRF protection.
if request.method == "POST":
token = session.pop("_csrf", None)
if not token or str(token) != str(request.form.get("token")):
abort(403)
# Default template vars.
g.info = {
"time": time.time(),
@ -86,6 +80,12 @@ def before_request():
if not "login" in session:
session.update(g.info["session"])
# CSRF protection.
if request.method == "POST":
token = session.pop("_csrf", None)
if not token or str(token) != str(request.form.get("token")):
abort(403)
# Refresh their login status from the DB.
if session["login"]:
import rophako.model.user as User
@ -151,6 +151,11 @@ def not_found(error):
return render_template('errors/404.html', **g.info), 404
@app.errorhandler(403)
def forbidden(error):
return render_template('errors/403.html', **g.info), 403
# Domain specific endpoints.
if config.SITE_NAME == "kirsle.net":
import rophako.modules.kirsle_legacy

ファイルの表示

@ -0,0 +1,17 @@
{% extends "layout.html" %}
{% block title %}Forbidden{% endblock %}
{% block content %}
<h1>Forbidden</h1>
Access to this page was denied. Most likely, this error was caused because a
check to prevent <a href="http://en.wikipedia.org/wiki/Cross-site_request_forgery">Cross-site
request forgery</a> has failed. This will sometimes happen if you had this site
open in two different browser tabs, and you submitted a form in one tab (on a
"newer" page) and then tried submitting a form on an older page.<p>
If this is the case, click your browser's "Back" button and then reload the
page you came from and try again (you may want to copy your message before
reloading in case your browser clears it out).
{% endblock %}